Ingress
Yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test
spec:
rules:
- host: xxx.ctg.com # optional
http:
paths:
- path: /foo
backend:
serviceName: service1
servicePort: xxHTTPS
假设我们想通过https://tomcat.ctg.com来访问tomcat服务,步骤如下。
首先,制作证书,此处我们使用自签名证书
$ openssl genrsa -out tls.key 1024
$ openssl req -x509 -new -nodes -key tls.key -subj "/CN=tomcat.ctg.com" -days 3650 -out tls.crt生成的tls.key与tls.crt的内容如下
$ cat tls.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC2m/jDgcOjuXOyr4HrOQmbQ3z7Mi5Acd6tY+RShnC6vpg+nCcH
FK2VahUu5f2cfXql4khJh61OOCaOjGb1snr/zhM4fXJt0d5hhSadNwvYH7WRdfLJ
bohYnGebow5gYdU526zJNMpvvEjVMIa7qYxS8bBl290V9b0NT4U5pTAOaQIDAQAB
AoGACenx2XtkCbF5zIumvAR+twU09dZFmI4WDsfLj4do+1p5nXyQydufiOsXd1JZ
MHPHgtYEIqnRCNwXi8mnlVM5Ri6HdjGKIRsk6saL06avPRHphZTGYl4Ih0KzORDI
Wz50mr7q55MafrX0NCVSxTA1662xKhhzOUILFh5bi8qHc+ECQQDedbtw3FxTgQF9
C/atddh+uu66yWYsOIF1yjpB5ys7P+TFz/0eQ6zzqLKCP0wSQUIlooQU5txOVX/R
AQ4SKWrlAkEA0iQgvI3RzDar5/iIIzVQj/TFrX5Z4BteCqnF0nHj7p3hR4iUZc+W
kuJ3ePhA5X7gwxJbsGsYCKgnE582gWFpNQJACSXgQmDdbxWkAQdn6nQpJfT78jRr
/i+Iq1ZYlPMzpOkYuEW4S/FOgGqUhKSjtTB3zuJi+hUQRCxh6C9Z68dGPQJAJVh0
VO4jTdadgHFDyHYOJjdK9kVRNanHcb+wP3EsH9kBE1Rrgxh8WwhSUTZVWjPNP/3A
O78cm1U+9JbD+gRUzQJBAMng0TUGABU3Avq0m4TanK2o1jBS6QV2uV/FXM1q9pOg
3nhSVjs6+TAfup/VjVUwGJfS0wyAWQFrRR3Ub/SL77k=
-----END RSA PRIVATE KEY-----
$ cat tls.crt
-----BEGIN CERTIFICATE-----
MIICADCCAWmgAwIBAgIJAO50kZMgRRbxMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
BAMMDnRvbWNhdC5jdGcuY29tMB4XDTE5MTIyNjA3MzgyN1oXDTI5MTIyMzA3Mzgy
N1owGTEXMBUGA1UEAwwOdG9tY2F0LmN0Zy5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALab+MOBw6O5c7Kvges5CZtDfPsyLkBx3q1j5FKGcLq+mD6cJwcU
rZVqFS7l/Zx9eqXiSEmHrU44Jo6MZvWyev/OEzh9cm3R3mGFJp03C9gftZF18slu
iFicZ5ujDmBh1TnbrMk0ym+8SNUwhrupjFLxsGXb3RX1vQ1PhTmlMA5pAgMBAAGj
UDBOMB0GA1UdDgQWBBS16IlYfCTS1g3f9qm9sMkXoC0zSjAfBgNVHSMEGDAWgBS1
6IlYfCTS1g3f9qm9sMkXoC0zSjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4GBAIBUAIXwBrmEFj1TAzHVqUNH2OwTgwGqdz6BnZB57hKVoIxPrLARFxxZZruI
6UomdQe9bHU+wiA1VQdVX9rhsf9T5Y4e7e1ZmpxP4nHMTn5MYT25ax8A3p7+eHcU
5qjT5DGpj4cqV78+dIu6Ly2Uu35ZF4m5jB0sYF+c2Nz/pNII
-----END CERTIFICATE-----然后,创建一个secret,用来存储tls.key与tls.crt。在存储tls.key与tls.crt文件内容到secret时,要把文件的首尾两行去掉,然后把中间的行拼成一行(即去掉换行符),最后secret的内容如下:
apiVersion: v1
kind: Secret
metadata:
name: tomcat
type: kubernetes.io/tls
data:
tls.key: MIICXAIBAAKBgQC2m/jDgcOjuXOyr4HrOQmbQ3z7Mi5Acd6tY+RShnC6vpg+nCcHFK2VahUu5f2cfXql4khJh61OOCaOjGb1snr/zhM4fXJt0d5hhSadNwvYH7WRdfLJbohYnGebow5gYdU526zJNMpvvEjVMIa7qYxS8bBl290V9b0NT4U5pTAOaQIDAQABAoGACenx2XtkCbF5zIumvAR+twU09dZFmI4WDsfLj4do+1p5nXyQydufiOsXd1JZMHPHgtYEIqnRCNwXi8mnlVM5Ri6HdjGKIRsk6saL06avPRHphZTGYl4Ih0KzORDIWz50mr7q55MafrX0NCVSxTA1662xKhhzOUILFh5bi8qHc+ECQQDedbtw3FxTgQF9C/atddh+uu66yWYsOIF1yjpB5ys7P+TFz/0eQ6zzqLKCP0wSQUIlooQU5txOVX/RAQ4SKWrlAkEA0iQgvI3RzDar5/iIIzVQj/TFrX5Z4BteCqnF0nHj7p3hR4iUZc+WkuJ3ePhA5X7gwxJbsGsYCKgnE582gWFpNQJACSXgQmDdbxWkAQdn6nQpJfT78jRr/i+Iq1ZYlPMzpOkYuEW4S/FOgGqUhKSjtTB3zuJi+hUQRCxh6C9Z68dGPQJAJVh0VO4jTdadgHFDyHYOJjdK9kVRNanHcb+wP3EsH9kBE1Rrgxh8WwhSUTZVWjPNP/3AO78cm1U+9JbD+gRUzQJBAMng0TUGABU3Avq0m4TanK2o1jBS6QV2uV/FXM1q9pOg3nhSVjs6+TAfup/VjVUwGJfS0wyAWQFrRR3Ub/SL77k=
tls.crt: MIICADCCAWmgAwIBAgIJAO50kZMgRRbxMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNVBAMMDnRvbWNhdC5jdGcuY29tMB4XDTE5MTIyNjA3MzgyN1oXDTI5MTIyMzA3MzgyN1owGTEXMBUGA1UEAwwOdG9tY2F0LmN0Zy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALab+MOBw6O5c7Kvges5CZtDfPsyLkBx3q1j5FKGcLq+mD6cJwcUrZVqFS7l/Zx9eqXiSEmHrU44Jo6MZvWyev/OEzh9cm3R3mGFJp03C9gftZF18sluiFicZ5ujDmBh1TnbrMk0ym+8SNUwhrupjFLxsGXb3RX1vQ1PhTmlMA5pAgMBAAGjUDBOMB0GA1UdDgQWBBS16IlYfCTS1g3f9qm9sMkXoC0zSjAfBgNVHSMEGDAWgBS16IlYfCTS1g3f9qm9sMkXoC0zSjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAIBUAIXwBrmEFj1TAzHVqUNH2OwTgwGqdz6BnZB57hKVoIxPrLARFxxZZruI6UomdQe9bHU+wiA1VQdVX9rhsf9T5Y4e7e1ZmpxP4nHMTn5MYT25ax8A3p7+eHcU5qjT5DGpj4cqV78+dIu6Ly2Uu35ZF4m5jB0sYF+c2Nz/pNII然后,创建一个Ingress(记得要创建deployment与service)
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tomcat
spec:
rules:
- host: tomcat.ctg.com
http:
paths:
- path: /
backend:
serviceName: tomcat
servicePort: 8080
tls:
- secretName: tomcat
hosts:
- tomcat.ctg.com然后,我们在就能访问了https://tomcat.ctg.com了
未定义行为
1. 同一个Ingress中path相同
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test
spec:
rules:
- http:
paths:
- path: /foo
backend:
serviceName: test
servicePort: 8080
- path: /foo
backend:
serviceName: test
servicePort: 8081以上的Ingress可以创建成功,不会报错,但是当我们访问x.x.x.x:80/foo时,是不确定Nginx-Ingress-Controller会转发到test:8080还是test:8081
2. 两个Ingress的Host相同
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test
spec:
rules:
- host: test.ctg.com
http:
paths:
- path: /foo
backend:
serviceName: test
servicePort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test1
spec:
rules:
- host: test.ctg.com
http:
paths:
- path: /foo
backend:
serviceName: test
servicePort: 8080非法行为
1. 同一个Ingress中的Host相同
以下Yaml文件创建时会报错,因为host一样
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test
spec:
rules:
- host: test.ctg.com
http:
paths:
- path: /foo
backend:
serviceName: test
servicePort: 8080
- host: test.ctg.com
http:
paths:
- path: /bar
backend:
serviceName: test
servicePort: 8081Last updated
Was this helpful?